Full Report
Cybersecurity researchers have shed light on a previously undocumented threat actor called NightEagle (aka APT-Q-95) that has been observed targeting Microsoft Exchange servers as a part of a zero-day exploit chain designed to target government, defense, and technology sectors in China. According to QiAnXin's RedDrip Team, the threat actor has been active since 2023 and has switched network
Analysis Summary
# Threat Actor: NightEagle (APT-Q-95)
## Attribution & Identity
The threat actor is identified as **NightEagle**, also known by the moniker **APT-Q-95**. Researchers speculate the actor originates from **North America**, based on their observed operational hours (9 p.m. to 6 a.m. Beijing time). The actor has been active since at least **2023** and is noted for switching its network infrastructure at an extremely fast rate.
## Activity Summary
NightEagle has been observed executing sophisticated attacks primarily targeting government, defense, and technology sectors within China. These campaigns center around leveraging a **zero-day exploit chain against Microsoft Exchange servers** to gain initial access and conduct espionage. The fast operational tempo and the focus on high-value targets suggest a state-sponsored espionage effort.
## Tactics, Techniques & Procedures
- Exploiting a **zero-day vulnerability** in Microsoft Exchange to gain initial unauthorized access by obtaining the `machineKey`.
- Using the compromised key to **deserialize the Exchange server**, allowing them to implant malware across compliant Exchange versions.
- **Implanting a Trojan** via a **.NET loader** into the Microsoft Exchange Server's **Internet Information Server (IIS)** service.
- Utilizing a **bespoke, Go-based version of the Chisel utility** for achieving intranet penetration.
- Post-exploitation activity includes establishing **SOCKS connections** to C2 infrastructure and remotely **reading mailbox data**.
- The modified Chisel utility was configured to execute automatically every four hours via a **scheduled task**.
## Targeting
- **Sectors:** Government, Defense, Technology, High-tech, Chip Semiconductors, Quantum Technology, and Artificial Intelligence.
- **Geography:** China.
- **Victims:** Entities operating within the highly sensitive defense and technology verticals in the targeted regions.
## Tools & Infrastructure
- **Malware families used:**
- Bespoke, Go-based version of the **Chisel** intranet penetration tool (modified source code).
- Unspecified **.NET loader**.
- Unspecified **Trojan** implanted into IIS.
- **Infrastructure (C2, domains, IPs):**
- Communication established over TCP port **443** to specified C2 addresses. (Specific C2 details were not fully extracted from the summary, only the protocol/port).
## Implications
NightEagle represents a sophisticated, well-resourced threat actor capable of exploiting sensitive, high-impact vulnerabilities (Zero-Day in Exchange) for persistent intelligence gathering against critical industry verticals in China. Their rapid infrastructure rotation suggests advanced operational security considerations. Successful compromise via this chain allows for deep access to sensitive communications (mailbox data).
## Mitigations
- Apply immediate patches and security updates for Microsoft Exchange Server, especially considering the zero-day exploitation observed.
- Enhance monitoring and detection for anomalous activity within IIS and scheduled task creation on Exchange infrastructure.
- Implement robust endpoint detection and response (EDR) capable of identifying modified or unusual versions of legitimate tools like Chisel.
- Review network egress traffic for outbound SOCKS connections or unusual activity on port 443 originating from Exchange servers.